Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Combining program verificationwith component-based architectures
Alexander SenierBOB 2018
Berlin, February 23rd, 2018
23.02.2018 2
AboutComponolit
23.02.2018 3
What happens when we use what's best?
23.02.2018 4
What’s Best?Mid-90ies: DOS+Pascal
program WriteName;var i : Integer; {variable to be used for looping} Name : String; {declares the variable Name as a string}begin Write('Please tell me your name: '); ReadLn(Name); {Return string entered by the user} for i := 1 to 100 do begin WriteLn('Hello ', Name) end; readln;end.
23.02.2018 5
What’s Best?End of 90ies: Linux+C
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; ... other checks ... fail: ... buffer frees (cleanups) ... return err;
23.02.2018 6
What’s Best?Mid 2000s: Linux/FreeBSD/NetBSD+Ada
type Day_type is range 1 .. 31;type Month_type is range 1 .. 12;type Year_type is range 1800 .. 2100;type Hours is mod 24;type Weekday is (Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday);type Date is record Day : Day_type; Month : Month_type; Year : Year_type; end record;
23.02.2018 7
What’s Best?Today and in the Future
That’s what this talk is about.
23.02.2018 8
“Use what’s best”
⇒“Trustworthy systems”
23.02.2018 9
¬ “Use what’s best”
⇒???
23.02.2018 10
What’s Best?Our answer (so far) – Outline
■ Problem
▪ Unsafe programming languages
▪ Monolithic systems
■ Solution
▪ Component-based systems
▪ Program verification
■ Future
▪ Verification of high-level models
▪ Protocol verification
23.02.2018 11
ProblemUnsafe Programming Languages
■ Stragefright (July 2015)
▪ Billions of devices affected
▪ Remote code execution, privilege escalation
▪ As easy as sending video/image
■ Problem not solved since
▪ > 350 bugs (critical/high)
▪ Integer overflows
▪ Integer underflows
▪ Buffer overflows
▪ Heap overflows
23.02.2018 12
ProblemMonolithic Systems
■ Typical System Architecture
■ Most systems monolithic today
▪ Complex features
▪ Large, shared services
▪ Weak isolation
■ Consequences
▪ Large Trusted Computing Base
▪ High error probability
▪ Unrestricted error propagation
Linux Kernel(Networking, Devices Drivers, File Systems,
Encryption, Security Policies, ...)
BluetoothService
ServiceY
...Wifi
Service
MediaFramework
FrameworkX
...
App 1 App nApp 2 App 3 App 4 ...
Trusted Computing Base
23.02.2018 13
SolutionOur Constraints
■ Minimal Trusted Computing Base
■ System/low-level programming
■ Low overhead
23.02.2018 14
SolutionThe Genode OS Framework*
■ Recursive system structure
▪ Root: Microkernel
▪ Parent: Responsibility + control
▪ Isolation is default
▪ Strict communication policy
■ Everything is a user-process
▪ Application
▪ File systems
▪ Drivers, Network stacks
■ Hierarchical System Architecture
*) https://genode.org
23.02.2018 15
SolutionMinimal Trusted Computing Base
■ Trusted Computing Base
▪ Software required for security
▪ Parents in tree
▪ Services used
■ TCB reduction
▪ Application-specific
▪ Example: File system
■ Per-application TCB
23.02.2018 16
Does that mean we have to reimplement everything?
23.02.2018 17
Architecture for Trustworthy SystemsStrategy #1: Policy Objects
■ Can’t reimplement everything
■ Solution: software reuse
▪ Untrusted software (gray)
▪ Policy object (green)
▪ Client software (orange)
■ Policy object
▪ Establishes assumptions of client
▪ Sanitizes
▪ Enforces additional policies
■ Policy objects
Network
Stack
Web
browser
Protocol validator
(e.g. TLS)
23.02.2018 18
Architecture for Trustworthy SystemsStrategy #2: Trusted Wrappers
■ Untrusted software (gray)
▪ E.g. disk, file system, cloud
■ Trusted wrapper
▪ Mandatory encryption
■ Client software (orange)
▪ No direct interaction with untrusted components
▪ Minimal attack surface
■ Trusted wrapper
Network
Stack
Web
Browser
VPN
Component
23.02.2018 19
Architecture for Trustworthy SystemsStrategy #3: Transient components
■ Untrusted software
▪ E.g. Media decoder
▪ No chance to get this right!
■ Transient component
▪ Temporarily instantiate untrusted software for single file/stream
▪ Expose only simple interfaces (e.g. PCM audio)
▪ Cleanup on completion
■ Transient component
Network Audio PlayerDecoder
read-only simple
Controller
23.02.2018 20
But, what if trusted components fail?
23.02.2018 21
High-assurance ImplementationA simple task: Calculating abs()
// Calculate absolute of X1 int abs_value (int X)2 {3 if (X > 0) {4 return X;5 } else {6 return -X;7 };8 }
// Let’s try abs_value()abs_value(-12345) ⟹ 12345abs_value(56789) ⟹ 56789abs_value(0) ⟹ 0abs_value(-2147483648) ⟹ -2147483648
23.02.2018 22
High-assurance ImplementationAt a glance: SPARK*
■ Language + verification toolset
▪ Imperative, object-oriented
▪ Designed for error avoidance
▪ Strong type system
▪ Formal contracts
*) http://spark-2014.org
■ Depth of verification is flexible
▪ Data and control flow analysis
▪ Dependency contracts
▪ Absence of runtime errors
▪ Functional correctness
23.02.2018 23
High-assurance ImplementationSPARK benefits
■ Well-suited for system-level development
▪ Compiled using GCC (via GNAT Ada frontend)
▪ Supports runtime-free mode (via profiles)
▪ Integration of full Ada and bindings to C
■ Used in various critical and system-level projects
▪ Muen Separation Kernel (https://muen.sk)
▪ Satellite software, air traffic control, secure workstation
23.02.2018 24
High-assurance ImplementationOur previous example
1 function Abs_Value (X : Integer) return Integer 2 with 3 -- Uncomment the following line to prove 4 -- Pre => X /= Integer'First, 5 Post => Abs_Value'Result = abs (X) 6 is 7 begin 8 if X > 0 then 9 return X;10 else11 return -X; 12 end if;13 end Abs_Value;
Proving...Phase 1 of 2: generation of Global contracts ...Phase 2 of 2: flow analysis and proof ...abs_value.adb:11:14: medium: overflow check might fail (e.g. when Abs_Value'Result = 0 and X = -2147483648)One error.
23.02.2018 25
High-assurance ImplementationBitwise swap using XOR
1 with Interfaces; use Interfaces; 2 3 procedure Bitwise_Swap (X, Y : in out Unsigned_32) with 4 Post => X = Y'Old and Y = X'Old 5 is 6 begin 7 X := X xor Y; 8 Y := X xor Y; 9 -- Uncomment the following line to prove10 -- X := X xor Y;11 end Bitwise_Swap;
Proving...Phase 1 of 2: generation of Global contracts ...Phase 2 of 2: flow analysis and proof ...bitwise_swap.adb:4:11: medium: postcondition might fail, cannot prove X = Y'old (e.g. when X = 0 and Y'Old = 4294967295)One error.
23.02.2018 26
Let’s put it together.
23.02.2018 27
Componolit PlatformBaseband firewall – Architecture
Phone
USB
Laptop
Baseband
Proxy
Genode (base system)
USB Filter
VirtualBox
Android
Proxy
23.02.2018 28
Componolit PlatformBaseband firewall – Implementation
23.02.2018 29
What’s Best?Future: More Verification!
■ Interactive theorem proving
▪ Functional specification in Isabelle/HOL
▪ Prove correspondence with SPARK program
■ Protocol verification
▪ See ourselves implementing communication protocols…
▪ ...over and over again
■ Goal
▪ Closed specification of communication protocols
▪ Verification of protocol properties using temporal logic
▪ Generation of code
Interested in ideas!
23.02.2018 30
Questions?
Alexander [email protected]
@Componolit · componolit.com · github.com/Componolit
2017-02-03 31
2017-02-03 32
StagefrightBugs rated critical/high since 2015